Describe object level access permission
This commit is contained in:
PCoder
parent
8ae3df8105
commit
65de40f985
50
notes.md
50
notes.md
|
|
@ -4,8 +4,54 @@ I divide the security points that I think are important into 3 classes: 1) Criti
|
|||
|
||||
1. DB Password in codebase
|
||||
2. SECRET_KEY in codebase and same in development and production
|
||||
3. Object level access permission missing
|
||||
- I see the UserPermission class and I am assuming it is for managing object level permission but I am not sure how it is being used for object level permissions.
|
||||
3. Object level access control permission missing
|
||||
- I see the UserPermission class and I am assuming it is for managing object level permission but I am not sure how it is being used for object level permissions. By object permissions, I mean granting add/delete/change/view permissions on an object to a particular user or a group.
|
||||
- In Django we generally use the django-guardian module to accomplish this.
|
||||
https://django-guardian.readthedocs.io/en/stable/
|
||||
- Each object can be assigned permission specifically to a user or a group
|
||||
|
||||
For eg. the following (taken from https://django-guardian.readthedocs.io/en/stable/userguide/assign.html#assign-obj-perms)
|
||||
|
||||
```
|
||||
>>> from django.contrib.auth.models import User
|
||||
>>> boss = User.objects.create(username='Big Boss')
|
||||
>>> joe = User.objects.create(username='joe')
|
||||
>>> task = Task.objects.create(summary='Some job', content='', reported_by=boss)
|
||||
>>> joe.has_perm('assign_task', task)
|
||||
False
|
||||
|
||||
>>> from guardian.shortcuts import assign_perm
|
||||
>>> assign_perm('assign_task', joe, task)
|
||||
>>> joe.has_perm('assign_task', task)
|
||||
True
|
||||
```
|
||||
|
||||
The following code taken from payroll/views.py file lines 1119-1137
|
||||
|
||||
```
|
||||
@login_required
|
||||
def attachment_delete(request, pk):
|
||||
"""
|
||||
Attachment löschen
|
||||
"""
|
||||
# Attachment auswählen
|
||||
instance = Attachment.objects.get(id=pk)
|
||||
# Dateipfad ermitteln
|
||||
file_path = str(instance.attachment)
|
||||
# Physische Datei löschen
|
||||
try:
|
||||
os.remove(os.path.join(MEDIA_ROOT, file_path))
|
||||
except:
|
||||
pass
|
||||
# Instanz löschen
|
||||
instance.delete()
|
||||
|
||||
# zurück zur Ursprungsseite
|
||||
return HttpResponseRedirect(request.META.get('HTTP_REFERER', '/'))
|
||||
```
|
||||
|
||||
Anyone who can login to the system, could potentially delete an attachment belonging to some other user, which may be disastrous. We could easily overcome this like the example from django-guardian above.
|
||||
|
||||
4. Check session management carefully
|
||||
5. I am not sure what exact Django version the app is designed for. I am assuming some version of Django 2.x.x. based on my attempt to run the project. It would be nice to check all vulnerabilities for this specific version of Django.
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue